| services.wastebin.secretFile | Path to file containing sensitive environment variables
|
| hardware.nitrokey.enable | Enables udev rules for Nitrokey devices.
|
| services.logkeys.device | Use the given device as keyboard input event device instead of /dev/input/eventX default.
|
| services.coturn.dh-file | Use custom DH TLS key, stored in PEM format in the file.
|
| services.vault.tlsKeyFile | TLS private key file
|
| services.sharkey.setupRedis | Whether to automatically set up a local Redis cache and configure Sharkey to use it.
|
| services.buildkite-agents.<name>.privateSshKeyPath | OpenSSH private key
A run-time path to the key file, which is supposed to be provisioned
outside of Nix store.
|
| services.unbound.checkconf | Whether to check the resulting config file with unbound checkconf for syntax errors
|
| networking.wg-quick.interfaces.<name>.peers.*.presharedKeyFile | File pointing to preshared key as generated by wg genpsk
|
| services.sharkey.settings.mediaDirectory | Path to the folder where Sharkey stores uploaded media such as images and attachments.
|
| services.arsenik.wide | The right hand is moved one key to the right.
|
| services.keycloak.enable | Whether to enable the Keycloak identity and access management
server.
|
| services.yggdrasil.settings.PrivateKeyPath | Path to the private key file on the host system
|
| services.pgpkeyserver-lite.enable | Whether to enable pgpkeyserver-lite on a nginx vHost proxying to a gpg keyserver.
|
| services.misskey.settings.redisForTimelines | ioredis options for timelines
|
| services.longview.apiKey | Longview API key
|
| users.extraUsers.<name>.openssh.authorizedKeys.keys | A list of verbatim OpenSSH public keys that should be added to the
user's authorized keys
|
| services.gitea.camoHmacKeyFile | Path to a file containing the camo HMAC key.
|
| services.nextcloud-spreed-signaling.settings.sessions.blockkeyFile | The path to the file containing the value for sessions.blockkey
|
| services.hockeypuck.settings | Configuration file for hockeypuck, here you can override
certain settings (loglevel and
openpgp.db.dsn) by just setting those values
|
| services.pgpkeyserver-lite.package | The pgpkeyserver-lite package to use.
|
| services.keycloak.package | The keycloak package to use.
|
| services.matrix-synapse.settings.signing_key_path | Path to the signing key to sign messages with.
|
| services.grafana.settings.database.client_key_path | The path to the client key
|
| services.sympa.settings | The sympa.conf configuration file as key value set
|
| services.misskey.settings.redisForTimelines.port | The Redis port.
|
| services.misskey.settings.redisForTimelines.host | The Redis host.
|
| services.misskey.reverseProxy.webserver.nginx.serverName | Name of this virtual host
|
| services.longview.apiKeyFile | A file containing the Longview API key
|
| services.logind.rebootKey | Specifies what to do when the reboot key is pressed.
|
| security.acme.certs.<name>.csrKey | Path to the private key to the matching certificate signing request.
|
| services.skydns.etcd.tlsPem | Skydns path of TLS client certificate - public key.
|
| services.skydns.etcd.tlsKey | Skydns path of TLS client certificate - private key.
|
| services.actkbd.bindings.*.keys | List of keycodes to match.
|
| services.prometheus.remoteWrite.*.sigv4.access_key | The Access Key ID.
|
| services.prometheus.remoteWrite.*.sigv4.secret_key | The Secret Access Key.
|
| services.kmonad.keyboards | Keyboard configuration.
|
| services.kanata.keyboards | Keyboard configurations.
|
| services.dnsdist.dnscrypt.providerKey | The filepath to the provider secret key
|
| services.pgpkeyserver-lite.hkpAddress | Which IP address the sks-keyserver is listening on.
|
| services.skydns.etcd.caCert | Skydns path of TLS certificate authority public key.
|
| services.yubikey-agent.package | The yubikey-agent package to use.
|
| services.misskey.settings.meilisearch | Meilisearch connection options.
|
| services.kubernetes.apiserver.tlsKeyFile | Kubernetes apiserver private key file.
|
| services.hockeypuck.port | HKP port to listen on.
|
| services.sks.enable | Whether to enable SKS (synchronizing key server for OpenPGP) and start the database
server
|
| hardware.keyboard.qmk.enable | Whether to enable non-root access to the firmware of QMK keyboards.
|
| services.crowdsec-firewall-bouncer.secrets.apiKeyPath | Path to the API key to authenticate with a local CrowdSec API
|
| services.misskey.reverseProxy.webserver.caddy | Extra configuration for the caddy virtual host of Misskey
|
| services.misskey.reverseProxy.webserver.nginx | Extra configuration for the nginx virtual host of Misskey
|
| services.pgpkeyserver-lite.hostname | Which hostname to set the vHost to that is proxying to sks.
|
| services.xserver.xkb.extraLayouts.<name>.keycodesFile | The path to the xkb keycodes file
|
| nix.sshServe.write | Whether to enable writing to the Nix store as a remote store via SSH
|
| services.uptermd.hostKey | Path to SSH host key
|
| services.kmonad.keyboards.<name>.defcfg.fallthrough | Whether to enable re-emitting unhandled key events.
|
| nix.settings | Configuration for Nix, see
https://nixos.org/manual/nix/stable/command-ref/conf-file.html or
nix.conf(5) for available options
|
| boot.initrd.luks.devices.<name>.yubikey.slot | Which slot on the YubiKey to challenge.
|
| services.warpgate.settings.ssh.host_key_verification | Specify host key verification action when connecting to a SSH target with unknown/differing host key.
|
| services.mackerel-agent.apiKeyFile | Path to file containing the Mackerel API key
|
| services.headscale.settings.noise.private_key_path | Path to noise private key file, generated automatically if it does not exist.
|
| services.misskey.settings.meilisearch.ssl | Whether to connect via SSL.
|
| services.misskey.reverseProxy.webserver.nginx.root | The path of the web root directory.
|
| boot.initrd.luks.yubikeySupport | Enables support for authenticating with a YubiKey on LUKS devices
|
| services.misskey.settings.meilisearch.host | The Meilisearch host.
|
| services.misskey.settings.meilisearch.port | The Meilisearch port.
|
| hardware.keyboard.teck.enable | Whether to enable non-root access to the firmware of TECK keyboards.
|
| programs.tmux.shortcut | Ctrl following by this key is used as the main shortcut.
|
| services.self-deploy.sshKeyFile | Path to SSH private key used to fetch private repositories over
SSH.
|
| services.syncoid.sshKey | SSH private key file to use to login to the remote system
|
| services.mympd.settings | Manages the configuration files declaratively
|
| programs.yubikey-manager.enable | Whether to enable yubikey-manager.
|
| networking.wireguard.interfaces.<name>.peers.*.presharedKeyFile | File pointing to preshared key as generated by wg genpsk
|
| services.nginx.proxyCachePath.<name>.keysZoneName | Set name to shared memory zone.
|
| services.nginx.proxyCachePath.<name>.keysZoneSize | Set size to shared memory zone.
|
| services.sharkey.openFirewall | Whether to open ports in the NixOS firewall for Sharkey.
|
| services.immichframe.settings.Accounts.*.ApiKeyFile | File containing an API key to talk to the Immich server
|
| programs.pay-respects.aiIntegration | Whether to enable pay-respects' LLM integration
|
| services.logind.suspendKey | Specifies what to do when the suspend key is pressed.
|
| services.postfix.config | The main.cf configuration file as key value set.
|
| services.dovecot2.sslCACert | Path to the server's CA certificate key.
|
| services.munge.password | The path to a daemon's secret key.
|
| services.netbox.secretKeyFile | Path to a file containing the secret key.
|
| services.oink.secretApiKeyFile | Path to a file containing the secret API key to use when modifying DNS records.
|
| services.ncps.cache.hostName | The hostname of the cache server. This is used to generate the
private key used for signing store paths (.narinfo)
|
| services.nghttpx.tls | TLS certificate and key paths
|
| services.strongswan-swanctl.swanctl.connections.<name>.local.<name>.pubkeys | List of raw public key candidates to use for
authentication
|
| programs.wshowkeys.package | The wshowkeys package to use.
|
| services.keycloak.plugins | Keycloak plugin jar, ear files or derivations containing
them
|
| services.misskey.settings.meilisearch.scope | The search scope.
|
| services.misskey.reverseProxy.webserver.caddy.hostName | Canonical hostname for the server.
|
| boot.initrd.luks.devices.<name>.yubikey | The options to use for this LUKS device in YubiKey-PBA
|
| services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.esp_proposals | ESP proposals to offer for the CHILD_SA
|
| services.misskey.reverseProxy.webserver.caddy.serverAliases | Additional names of virtual hosts served by this virtual host configuration.
|
| services.misskey.reverseProxy.webserver.nginx.serverAliases | Additional names of virtual hosts served by this virtual host configuration.
|
| services.misskey.settings.meilisearch.index | Meilisearch index to use.
|
| services.printing.cups-pdf.instances.<name>.settings | Settings for a cups-pdf instance, see the descriptions in the template config file in the cups-pdf package
|
| services.druid.commonConfig | (key=value) Configuration to be written to common.runtime.properties
|
| services.arsenik.enable | Whether to enable A 33-key layout that works with all keyboards..
|
| services.strongswan-swanctl.swanctl.secrets.rsa | Private key decryption passphrase for a key in the rsa
folder.
|
| services.keycloak.settings.http-relative-path | The path relative to / for serving
resources.
In versions of Keycloak using Wildfly (<17),
this defaulted to /auth
|